panic in tcp_drop (and fix for it)
Andre Oppermann
andre at freebsd.org
Mon Oct 10 18:08:40 UTC 2011
On 10.10.2011 19:36, Navdeep Parhar wrote:
> While stress testing a few systems, I encountered a panic in tcp_drop
> due to NULL tp->t_inpcb. tcp_drop had been called by tcp_timer_rexmt.
> The problem is that timer_rexmt lets go of the pcbinfo and inp locks and
> the inp could be dropped by the time it re-acquires the locks.
>
> The attached patch fixes the problem. I've observed the counter in the
> patch go up by 2-3 in 48 hours or so. If someone can review the patch
> I can push it (without the counter) to head.
Looks good w/o the counter.
> Regards,
> Navdeep
>
> --- a/sys/netinet/tcp_timer.c
> +++ b/sys/netinet/tcp_timer.c
> @@ -439,6 +439,8 @@
> CURVNET_RESTORE();
> }
>
> +static int tcp_rexmt_inpdrop_race = 0;
> +
> void
> tcp_timer_rexmt(void * xtp)
> {
> @@ -495,6 +497,14 @@
> CURVNET_RESTORE();
> return;
> }
> + if (inp->inp_flags& INP_DROPPED) {
> + tcp_rexmt_inpdrop_race++;
> + INP_WUNLOCK(inp);
> + INP_INFO_WUNLOCK(&V_tcbinfo);
> + CURVNET_RESTORE();
> + return;
> + }
> +
> tp = tcp_drop(tp, tp->t_softerror ?
> tp->t_softerror : ETIMEDOUT);
> headlocked = 1;
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
More information about the freebsd-net
mailing list